Signatures Authentication and Digital Message

Message

Authentication and Digital

Signatures

Network Attacks

1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key.

2. Traffic analysis: Discovery of the pattern of traffic

between parties. In a connection-oriented application, the frequency and duration of connections could be determined. In either a connection-oriented or

connectionless environment, the number and length of messages between parties could be determined.

3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient.

Network Attacks

4. Content modification: Changes to the contents of a

message, including insertion, deletion, transposition, and modification.

5. Sequence modification: Any modification to a sequence of messages between parties, including insertion,

deletion, and reordering.

6. Timing modification: Delay or replay of messages. An entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed.

7. Source repudiation: Denial of transmission of message by source.

8. Destination repudiation: Denial of receipt of message by destination.

Network Attacks:

Countermeasu res

• Measures to deal with the first two attacks are in the realm of message confidentiality

• Measures to deal with items (3) through (6) are generally regarded as message authentication

• Mechanisms for dealing specifically with item (7) come under the heading of digital signatures

• Generally, a digital signature technique will also counter some or all the attacks listed under items (3) – (6)

• Dealing with item (8) may require a combination of the use of digital signatures and a protocol designed to counter this attack

Message

Authentication

• Message authentication is a procedure to verify that received messages come from the alleged source and have not been altered

• Message authentication may also verify sequencing and timeliness

• A digital signature is an authentication technique that also includes measures to counter repudiation by the source

Message Authentication

Functions

Message

Authentication Functions

• Any message authentication or digital signature mechanism has two levels of functionality

• At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message

• This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a

receiver to verify the authenticity of a message

• The types of functions that may be used to produce an authenticator:

• Hash function

• Message encryption

• Message authentication code (MAC)

Message Encryption

Basic Uses of Message Encryption

Basic Uses of Message Encryption

Internal and External Error Control

• With internal error control, authentication is provided

• If instead the FCS is the outer code, an opponent can

construct messages with valid error-control codes to create confusion and disrupt operations

Message Authentication

Code

MAC

• An alternative authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC

• This technique assumes that two communicating parties, say A and B, share a common secret key 𝐾

• When A has a message to send to B, it calculates the 𝑀𝐴𝐶 as a function of the message and the key:

𝑀𝐴𝐶 = 𝐶(𝐾, 𝑀)

• A MAC function is similar to encryption, but the MAC algorithm need not be reversible

• Because of the mathematical properties of the MAC function, it is less vulnerable to being broken than encryption

MAC Functions

If we assume that only the receiver and the sender know the identity of the secret key, and if the received MAC matches the calculated MAC, then:

1. The receiver is assured that the message has not been

altered. If an attacker alters the message but does not alter the MAC, then the receiver’s calculation of the MAC will differ from the received MAC. Because the attacker is assumed not to know the secret key, the attacker cannot alter the MAC.

2. The receiver is assured that the message is from the

alleged sender. Because no one else knows the secret key, no one else could prepare a message with a proper MAC.

3. If the message includes a sequence number, then the

receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number.

Basic Uses of Message

Authentication

Code

MACs Based on Hash

Functions: HMAC

HMAC

Development

• The motivations for developing a MAC derived from a cryptographic hash function are:

1. Cryptographic hash functions such as MD5 and SHA generally execute faster in software than symmetric block ciphers

2. Library code for cryptographic hash functions is widely available

• With the development of AES and the more widespread availability of code for encryption algorithms, these

considerations are less significant, but hash-based MACs continue to be widely used

• HMAC has been issued as RFC 2104, and was chosen as the mandatory-to-implement MAC for IP security, and is used in other Internet protocols, such as SSL

• HMAC has also been issued as a NIST standard (FIPS 198)

HMAC Design Objectives

• To use, without modifications, available hash functions.

In particular, to use hash functions that perform well in software and for which code is freely and widely

available.

• To allow for easy replaceability of the embedded hash function in case faster or more secure hash functions are found or required.

• To preserve the original performance of the hash function without incurring a significant degradation.

• To use and handle keys in a simple way.

• To have a well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions about the embedded hash function.

HMAC

Algorithm

𝐻𝑀𝐴𝐶 𝐾, 𝑀 =

= 𝐻 𝐾⁺ ⊕ 𝑜𝑝𝑎𝑑 ∥ 𝐻 𝐾⁺ ⊕ 𝑖𝑝𝑎𝑑 ∥ 𝑀

Efficient

Implementation

of HMAC

Security of HMAC

• The appeal of HMAC is that its designers have been able to prove an exact relationship between the strength of the embedded hash function and the strength of HMAC

• The probability of successful attack on HMAC is equivalent to one of the following attacks on the embedded hash function:

1. The attacker is able to compute an output of the compression function even with an IV that is random, secret, and unknown to the attacker 2. The attacker finds collisions in the hash function

even when the IV is random and secret

Digital Signatures

Digital

Signatures: an Overview

• The most important development from the work on public-key cryptography is the digital signature

• The digital signature provides a set of security

capabilities that would be difficult to implement in any other way

• Message authentication protects two parties who exchange messages from any third party

• However, it does not protect the two parties against each other

• The most attractive solution to this problem is the digital signature

A Generic

Model of the Digital

Signatures

The Properties of the Digital

Signature

• The digital signature must have the following properties:

1) It must verify the author and the date and time of the signature

2) It must authenticate the contents at the time of the signature

3) It must be verifiable by third parties, to resolve disputes

• Thus, the digital signature function includes the authentication function

Attacks and Forgeries

• Key-only attack: C only knows A’s public key.

• Known message attack: C is given access to a set of messages and their signatures.

• Generic chosen message attack: C chooses a list of messages before attempting to breaks A’s signature

scheme, independent of A’s public key. C then obtains from A valid signatures for the chosen messages.

• Directed chosen message attack: Similar to the generic attack, except that the list of messages to be signed is chosen after C knows A’s public key but before any signatures are seen.

• Adaptive chosen message attack: C is allowed to use A as an “oracle.” This means that C may request from A

signatures of messages that depend on previously obtained message-signature pairs.

Attacks and Forgeries

Success at breaking a signature scheme is an outcome in which C can do any of the following:

• Total break: C determines A’s private key

• Universal forgery: C finds an efficient signing algorithm that provides an equivalent way of constructing

signatures on arbitrary messages

• Selective forgery: C forges a signature for a particular message chosen by C

• Existential forgery: C forges a signature for at least one message. C has no control over the message.

Consequently, this forgery may only be a minor nuisance to A

Digital

Signature

Requirements

• The signature must be a bit pattern that depends on the message being signed

• The signature must use some information only known to the sender to prevent both forgery and denial

• It must be relatively easy to produce the digital signature

• It must be relatively easy to recognize and verify the digital signature

• It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message

• It must be practical to retain a copy of the digital signature in storage

Direct Digital Signature

• The term direct digital signature refers to a digital

signature scheme that involves only the communicating parties (source, destination)

• It is assumed that the destination knows the public key of the source

• Confidentiality can be provided by encrypting the entire message plus signature with a shared secret key

(symmetric encryption)

Direct Digital Signature: the Security

• The validity of the direct digital signature scheme depends on the security of the sender’s private key

• If a sender later wishes to deny sending a particular message, the sender can claim that the private key was lost or stolen and that someone else forged the signature

• Another threat is that a private key might actually be stolen from X at time T. The opponent can then send a message signed with X’s signature and stamped with a time before or equal to T.

• The universally accepted technique for dealing with these threats is the use of a digital certificate and certificate authorities

Elgamal Digital Signature

Scheme

Elements of

Elgamal Digital Signature

• For a prime number 𝑞, if 𝛼 is a primitive root of 𝑞, then 𝛼, 𝛼², … , 𝛼^𝑞−1 are distinct mod 𝑞

• If 𝛼 is a primitive root of 𝑞, then:

1. For any integer 𝑚, 𝛼^𝑚 ≡ 1 mod 𝑞 if and only if 𝑚 ≡ 0 mod 𝑞 − 1

2. For any integers, 𝑖, 𝑗, 𝛼^𝑖 ≡ 𝛼^𝑗 mod 𝑞 if and only if 𝑖 ≡ 𝑗 mod 𝑞 − 1

• The global elements of Elgamal digital signature are a prime number 𝑞 and 𝛼, which is a primitive root of 𝑞

Generation of a Key Pair

User A generates a private/public key pair as follows:

1. Generate a random integer 𝑋_𝐴, such that 1 < 𝑋_𝐴 < 𝑞 − 1

2. Compute 𝑌_𝐴 = 𝛼^𝑋𝐴mod 𝑞

3. A’s private key is 𝑋_𝐴; A’s public key is 𝑞, 𝛼, 𝑌_𝐴

Signing a Message

• To sign a message 𝑀, user A first computes the hash 𝑚 = 𝐻(𝑀), such that 𝑚 is an integer in the range 0 ≤ 𝑚 ≤ 𝑞 − 1

• A then forms a digital signature as follows:

1. Choose a random integer 𝐾 such that 1 ≤ 𝐾 ≤ 𝑞 − 1 and gcd 𝐾, 𝑞 − 1 = 1. That is, 𝐾 is relatively prime to 𝑞 − 1

2. Compute 𝑆₁ = 𝛼^𝐾mod 𝑞

3. Compute 𝐾⁻¹mod(𝑞 − 1). That is, compute the inverse of 𝐾 modulo 𝑞 − 1

4. Compute 𝑆₂ = 𝐾⁻¹ 𝑚 − 𝑋_𝐴𝑆₁ mod 𝑞 − 1 5. The signature consists of the pair 𝑆₁, 𝑆₂

Verification of the Signature

• Any user B can verify the signature as follows:

1. Compute 𝑉₁ = 𝛼^𝑚mod 𝑞

2. Compute 𝑉₂ = 𝑌_𝐴 ^𝑆1 𝑆₁ ^𝑆2mod 𝑞

• The signature is valid if 𝑉₁ = 𝑉₂

An Example

For example, let us start with the prime 𝑞 = 19. It has primitive roots 2,3,10,13,14,15 . We choose 𝛼 = 10.

Alice generates a key pair as follows:

1. Alice chooses 𝑋_𝐴 = 16

2. Then 𝑌_𝐴 = 𝛼^𝑋𝐴𝑚𝑜𝑑 𝑞 = 10¹⁶mod 19 = 4 3. Alice’s private key is 16; Alice’s public key is

𝑞, 𝛼, 𝑌_𝐴 = 19,10,4

An Example

Suppose Alice wants to sign a message with hash value 𝑚 = 14

1. Alice chooses 𝐾 = 5, which is relatively prime to 𝑞 − 1 = 18

2. 𝑆₁ = 𝛼^𝐾𝑚𝑜𝑑 𝑞 = 10⁵𝑚𝑜𝑑 19 = 3 3. 𝐾⁻¹mod 𝑞 − 1 = 5⁻¹mod 18 = 11 4. 𝑆₂ = 𝐾⁻¹ 𝑚 − 𝑋_𝐴𝑆₁ mod 𝑞 − 1 = 11(

)

14 − 16 ∙ 3 mod 18 = −374mod 18 = 4

An Example

Bob can verify the signature as follows

1. 𝑉₁ = 𝛼^𝑚mod 𝑞 = 10¹⁴mod 19 = 16

2. 𝑉₂ = 𝑌_𝐴 ^𝑆1 𝑆₁ ^𝑆2mod 𝑞 = 4³3⁴𝑚𝑜𝑑 19 = 5184 mod 19 = 16

Thus, the signature is valid because 𝑉₁ = 𝑉₂

Schnorr Digital Signature

Scheme

Overview

• As with the Elgamal digital signature scheme, the Schnorr signature scheme is based on discrete logarithms

• The Schnorr scheme minimizes the message-dependent amount of computation required to generate a signature

• The scheme is based on using a prime modulus 𝑝, with 𝑝 − 1 having a prime factor 𝑞 of appropriate size; that is, 𝑝 − 1 ≡ 0 mod 𝑞

• Typically, we use 𝑝 ≈ 2¹⁰²⁴ and 𝑞 ≈ 2¹⁶⁰. Thus, 𝑝 is a 1024-bit number, and 𝑞 is a 160-bit number, which is also the length of the SHA-1 hash value

Generation of a Key Pair

1. Choose primes 𝑝 and 𝑞, such that 𝑞 is a prime factor of 𝑝 − 1

2. Choose an integer 𝑎, such that 𝑎^𝑞 = 1 mod 𝑝. The values 𝑎, 𝑝, and 𝑞 comprise a global public key that can be common to a group of users

3. Choose a random integer 𝑠 with 0 < 𝑠 < 𝑞. This is the user’s private key

4. Calculate 𝑣 = 𝑎^−𝑠mod 𝑝. This is the user’s public key

Signing a Message

A user with private key 𝑠 and public key 𝑣 generates a signature as follows

1. Choose a random integer 𝑟 with 0 < 𝑟 < 𝑞 and compute 𝑥 = 𝑎^𝑟mod 𝑝. This computation is a

preprocessing stage independent of the message 𝑀 to be signed

2. Concatenate the message with 𝑥 and hash the result to compute the value 𝑒:

𝑒 = 𝐻 𝑀 ∥ 𝑥

3. Compute 𝑦 = 𝑟 + 𝑠𝑒 mod 𝑞. The signature consists of the pair 𝑒, 𝑦

Verification of the Signature

Any other user can verify the signature as follows 1. Compute 𝑥^′ = 𝑎^𝑦𝑣^𝑒mod 𝑝

2. Verify that 𝑒 = 𝐻 𝑀 ∥ 𝑥′

NIST Digital Signature

Algorithm

The DSA

• In 1991 NIST has published Federal Information Processing Standard FIPS 186, known as the Digital Signature Algorithm (DSA)

• The DSA makes use of the Secure Hash Algorithm (SHA)

• The DSA was revised in 1993 in response to public feedback concerning the security of the scheme

• There was a further minor revision in 1996

• In 2000, an expanded version of the standard was issued as FIPS 186-2, subsequently updated to FIPS 186-3 in 2009, and FIPS 186-4 in 2013

• FIPS 186-4 also incorporates digital signature algorithms based on RSA and on elliptic curve cryptography

Two

Approaches to Digital

Signatures

Generation of a Key Pair

Global Public-Key Components:

• 𝑝 prime number where 2^𝐿−1 < 𝑝 < 2^𝐿 for 512 ≤ 𝐿 ≤ 1024 and 𝐿 a multiple of 64; i.e., bit length 𝐿 between 512 and 1024 bits in increments of 64 bits

• 𝑞 prime divisor of 𝑝 − 1 , where 2^𝑁−1 < 𝑞 < 2^𝑁, i.e., bit length of 𝑁 bits

• 𝑔 = ℎ^{(𝑝−1)/𝑞} mod 𝑝, where ℎ is any integer with 1 < ℎ < 𝑝 − 1 such that ℎ^{(𝑝−1)/𝑞} mod 𝑝 > 1

Generation of a Key Pair

User’s Private Key:

• 𝑥 random or pseudorandom integer with 0 < 𝑥 < 𝑞 User’s Public Key:

• 𝑦 = 𝑔^𝑥 mod 𝑝

User’s Per-Message Secret Number:

• 𝑘 random or pseudorandom integer with 0 < 𝑘 < 𝑞

Signing a Message

𝑟 = 𝑔^𝑘 mod 𝑝 mod 𝑞 𝑠 = 𝑘⁻¹ 𝐻 𝑀 + 𝑥𝑟 mod 𝑞

• Signature = 𝑟, 𝑠

Verification of the Signature

𝑤 = 𝑠′ ⁻¹ mod 𝑞 𝑢₁ = 𝐻 𝑀^′ 𝑤 mod 𝑞

𝑢₂ = 𝑟^′ 𝑤 mod 𝑞

𝑣 = 𝑔^𝑢1𝑦^𝑢2 mod 𝑝 mod 𝑞

• TEST: 𝑣 = 𝑟′

DSA Signing and

Verifying

DSA:

Computational Aspects

• The only computationally demanding task in signature generation is the exponential calculation 𝑔^𝑘 mod 𝑝

• Because this value does not depend on the message to be signed, it can be computed ahead of time

• Indeed, a user could precalculate several values of 𝑟 to be used to sign documents as needed

• The only other somewhat demanding task is the determination of a multiplicative inverse, 𝑘⁻¹

• Again, a number of these values can be precalculated